Re: German Government claims to be able to break PGP and SSH
>>What do you guys think about the reliability of the news >>(unfortunatelly in German only) on www.golem.de > >My German's rusty but the follow-up article quoting Symantec mentions spyware/keylogging, which has been the >traditional "technique" used in in the past. > >-- p Quick, someone, how do you say autobucket in German! s
FW: Force passwordcheck in login.conf
For 8.5.12 see login.conf man page, look for passwordcheck. You will have to write (or find) a program that keeps track of previously used passwords. I just stored a hash of them in a file and have it check to see if the new password hash matches any of the old 4 password hashes. for 8.5.13 see login.conf man page, look for auth. You will (again) have to write a program that does this. In this case, you will be writing a new login authentication method. I haven't figured out how to integrate this with ssh, but in my case that doesn't apply as I disabled password login into ssh and everyone uses keys. Sadly, when I did all of this it was for work so the place I work owns the code and I have not been given permission to give that code away. I wrote mine in python because I know and understand python, but it could probably be done using any language. s > > We are currently being reviewed for PCI DSS compliance, and > the big problems > we have right now with the combination of PCI DSS and OpenBSD > is the following > PCI DSS requirements: > 8.5.12 Password history check - you may not use the last 4 passwords. > 8.5.13 Lockout after 6 failed attempts - OpenBSD does not > lock accounts > automatically. > 8.5.14 If 8.5.13 takes affect, the account must be locked for > at least 30 > minutes. > > How have you addressed these requirements? I'm starting to > think we need a > RADIUS solution, which seems a bit redundant working with OpenBSD... > > Regards, Leif
Re: Donations
> Err, that's supposed to be essential liberty and temporary security. > > Any society that *doesn't* give up at least a little liberty > is anarchy and > Franklin was not, to my knowledge, an anarchist. > > On Dec 10, 2010, at 8:19 AM, Leonardo Rodrigues > > wrote: > > > To paraphrase Benjamin Franklin (an american! diplomat!): > > > > "Any society that would give up a little liberty to gain a little > > security will deserve neither and lose both." > > I would have to agree that the people of the United States have lost some of their essential libertys. The problem has been in defining what exactly ARE the essential libertys and then getting our congress and our president to keep their mitts off of them. Still, I would argue that even now there are few places in the world where the people can enjoy liberty as freely as in the United States. Additionally, for purposes of this thread, the Ben Franklin quote is a complete straw-man. Ben Franklin was talking about giving up of essential liberty by allowing the government to take it away in exchange for some promised security. The origin of this thread has noting to do with a government action and everything to do with an action by a private company against another private company. I suspect that more often than not when that particular Ben Franklin quote comes out it is in an attempt by the quoter to feel superior to those he is quoting to. If that was the case, it was an epic fail in both not looking up the quote to get the text right and not considering that the quote doesn't fit the situation. s
Re: Wildest Africa Tour
Don't be silly. While Lions do provide excelent physical security they don't provide any data security at all. s > > OpenBSD vs a Lion? > > __ > Anton Parol > Customer Services * Orc Software > > -Original Message- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] > On Behalf Of > Bushveld Safaris, Tours and Transfers > Sent: Monday, April 04, 2011 3:40 PM > To: misc@openbsd.org > Subject: Wildest Africa Tour > > Dear Sir / Madam > > I have this agent that has booked a very interesting > tailor-made b 10 Day > Wildest Africab tour. He already has 4 people on the tour and still > marketing to his other clients, as per the below dates, the > closing date is > 15 > June 2011. I am looking to try and get a full group and have > therefore opened > up to all. Please remember to add your recommended 15 % commission. > > Tour suggestion: > > Tour Dates: 31 August 2011 - 9 September 2011 > > Duration: 9 Nights / 10 Days > > Number of persons: 6 + > > Tour: "Kruger, Chobe & Victoria Falls" - similar to attached > itinerary. You > would need to book their flights to arrive in Johannesburg > and depart from > Johannesburg. Clients also have the opportunity to add-on an > extra day or two > in Zimbabwe or a Cape Town add-on tour. > > Quote: > > R28 795.00 per person sharing (15 % single supplement) > > Add-on at Elephant Hills Hotel (B&B) at R1050.00 per > person sharing per > night > > Included: Air ticket - Victoria Falls to Johannesburg (one-way), > accommodation (2-4*), transport, guide, meals as indicated, > porterage where > available, conservation fees and all entrance fees as per itinerary. > > Excluded:Passport / visa fees (Zimbabwe - pay in cash on > arrival US$55.00 > per person), travel insurance, phone calls, facsimiles, beverages, > gratuities, > items of a personal nature, excess baggage, entrance fees for optional > excursions not included in the tour. > > Once the quote has been accepted, please confirm, so that we > can go ahead and > make provisional bookings to avoid any disappointment due to lack of > availability of accommodation, etc. A 20 % deposit is required for > confirmation and the balance of payment 60 days before > arrival. Please refer > to our Standard "Terms & Conditions" on our website, which > becomes a contract > on confirmation. Payment can be done by bank transfer or with > a credit card > (7.5 % surcharge on credit card payments). > > Many thanks > > Laurence Marks > > [demime 1.01d removed an attachment of type > APPLICATION/DEFANGED which had a > name of Sandy Morris - 10 Day - Kruger, Chobe & Victoria Falls > Tour.28482DEFANGED-doc] > > > > > This e-mail is confidential and may contain legally > privileged information. It > is intended only for the addressees. If you have received > this e-mail in > error, kindly notify us immediately by telephone or e-mail > and delete the > message from your system.
Re: Like OpenBSD? Like to see new stuff happening? You really need to order a CD today :)
> Tshirt sales from Canada (the computer shop / https.openbsd.org) and > from the UK (openbsdeurope.com) fund the project just like the mugs, > the CD's, posters, etc.. > Nice to know, I also was of the mistaken belief that the T-Shirt sales didn't benefit the project (it is what I heard). Now that I know, I will be buying me some T-Shirts! AND at least one hoodie! Hmm... and maybe a coffee mug. Thank you all for your wonderful work on OpenBSD. s OpenBSD, Making me look like a freakin genious to my bosses since 3.6
Re: Like OpenBSD? Like to see new stuff happening? You really need to order a CD today :)
> On Tue, Apr 19, 2011 at 08:11:10PM +, Miod Vallat wrote: > > > "The OpenBSD project does not receive any proceeds from > tshirt, posters, doll or > > > book sales." > > > > In any case, the OpenBSD project receives more money from > the sale of > > one CD set than from the sale of one clothing attire, due to the > > production costs of said items. > > > > So if you want to contribute but don't know what to get, > get a CD set > > (or several!). Noone will mind if you frame them and hang > them on your > > wall; it's the thought which counts. > > > > Miod > > > > In fact one famous CD decorates the ceiling of a Calgary bar. Why > not upgrade the decor of your local drinking establishment and > give them a CD set to put on the wall/ceiling! And then you can > raise a beer to OpenBSD every visit. > > Ken > Ken, I hang out in the most red-neck hick places. They would likely try to put the cd in the juke box and would get mad that it didn't play. You should see them look at the OpenBSD shirts that I wear there occasionally. I think they think they are for some kind of devil-music rock band or something. s
Re: Clamav
>FROM Peter Fraser > >I use clamav on my mail server. The version of clamav on 4.1 >was obsolete for a while, long enough that it was hard to >get updates on the virus signatures. I was going to put >up 4.2 expecting to get an updated version of clamav, but >I discovered that 4.2 still uses 0.90.3. The virus signatures >providers are expecting 0.91.2. > >Is there a newer version coming, or is there a better virus >scanner to use? > As long as you are tracking stable, you should be able to go to the stable packages page and download the latest package (a pkg for clamav_0.91.2 is there): http://www.openbsd.org/pkg-stable.html (make sure to look at the page and verify that you are downloading the package for the right OpenBSD version) I am also using clamav on a mail server running OpenBSD 4.1 and tracking stable and this works out pretty good for me. Note- Sometimes it takes a while for the package to get updated to the newest version but it gets there eventually. I can only assume that whoever maintains this is busy doing other very important things so I don't think that complaining about it is the right thing to do. In fact, I have to thank them for all the hard work they do on my behalf. I am still learning and would probably be more of a hindrance than a help, but if the maintainers of this port need a hand I would be more than happy to help out with what I can. Just toss me an email.
Re: inetd needed for basic NAT/Firewall operation?
I have inetd disabled on almost all of my systems (including all my firewalls). If you have commented out every service in inetd.conf, there is no need to run inetd, it has nothing to do and just sits there. s -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Chris Smith Sent: Wednesday, December 05, 2007 11:49 AM To: misc@openbsd.org Subject: inetd needed for basic NAT/Firewall operation? Hello, When using OpenBSD only as a NAT router / Firewall with all of the services in inetd.conf commented out is there any need to enable inetd? I believe it's no longer necessary for ftp-proxy and want to make sure I'm not missing anything. Thank you. -- Chris
Re: Marry Christmas!
follow the shoe. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of James Hartley Sent: Monday, December 24, 2007 2:05 PM To: Unix Fan Cc: misc@openbsd.org Subject: Re: Marry Christmas! On 23 Dec 2007 15:54:56 -0800, Unix Fan <[EMAIL PROTECTED]> wrote: > Typically one spells it "Merry", not "Marry". You never know. Perhaps he was really wanting to be married to Christmas or have someone here marry Christmas. Even though it isn't clear on who is intended to be marrying Christmas, it may just be important by itself that Christmas be married. :-)
Re: Real men don't attack straw men
>From: Rui Miguel Silva Seabra >Sent: Thursday, January 03, 2008 10:03 AM >To: misc@openbsd.org >Subject: Re: Real men don't attack straw men > >On Thu, Jan 03, 2008 at 08:19:38PM +0530, Mayuresh Kathe wrote: >> Nobody out here is going to listen to what you're going to say, and >> you are going to go on and on about how you were justified in labeling >> OpenBSD as not compliant with your interpretation of the word "free", >> which we don't give a farthing for. > >He only doesn't want to *recommend* OpenBSD because of the ports tree >distributing some (however few exceptions those are) proprietary software. > >He's not labelling OpenBSD non-free, just non-free-friendly because some >non-free are distributed in the ports site. > >Now, you may disagree with his non-recommendation, but you're >misinterperting what's being said completely, and perhaps giving a worse >judgement of his words than what he "did" (depending on the point of view). > >Rui > >(ps: if someone wants to answer back with insults just shove it, ok? I'm >a fan of the Free Software operating system called OpenBSD and it's >policy on pro-active security) > And yet, you still don't have it quite right. Saying that the ports system distributes software is not correct. The ports system only distributes some make files and a few patches (all free). These make files contain links to where to download said "evil" software and make them easy to install... should the user choose to. It does not actually distribute the software. I for one think it is much more free to be allowed to choose for myself if I want to stick with free software (99.9% of the time) or "go the low road" (usually only if the free choice isn't useable for a particular situation) and use non-free (non-free friendly) software and I am very thankful to the devs at OpenBSD for not only allowing that choice, but making it easy to do so. Freedom is about choice. No matter how you stack it, limiting choice limits freedom. The whole political BS of GPL vs BSD etc boils down to this. OpenBSD does not limit choice. I can do with it what I want. If I could figure out how to run IE on OpenBSD (legally) and I could talk one of the ports devs to add it to the ports tree (legally) IE would become one more choice of web browser to use with OpenBSD and no matter what kind of religious/political issues anyone else has about it, in my book that would be a good thing because it would give yet another choice. Would I use it? NOPE! Would I make fun of anyone I saw using it? YUP! But, in a perverse way, it would make OpenBSD even more free, because some nut job out there would have the freedom to choose to run IE on OpenBSD if he wanted to. So I ask you: How does that limit freedom? s
FW: Real men don't attack straw men
> From: Rui Miguel Silva Seabra > Sent: Thursday, January 03, 2008 10:53 AM > To: Openbsd Misc (E-mail) > Subject: Re: Real men don't attack straw men > > > On Thu, Jan 03, 2008 at 10:38:08AM -0500, Stuart VanZee wrote: > > >From: Rui Miguel Silva Seabra > > > > > >He's not labelling OpenBSD non-free, just > non-free-friendly because some > > >non-free are distributed in the ports site. > > > > And yet, you still don't have it quite right. Saying that > the ports system > > distributes software is not correct. The ports system only > distributes some > > make files and a few patches (all free). > > I'm not talking about the CVS tree, I'm talking about > > http://www.openbsd.org/4.2_packages/i386.html > > I'm sorry for the "abuse" of language if you want to make a strong > difference between port and package. > > That is an OpenBSD site which has software, like for instance > zangband, > which is proprietary and is compiled and distributed from: > > ftp://ftp.openbsd.org/pub/OpenBSD/4.2/packages/i386/zangband-2 > .6.2p1-no_x11.tgz > > > These make files contain links to > > where to download said "evil" software and make them easy > to install... > > This is no mere link to a file, it's plain forward availability of a > conveniently pre-compiled package which is installable and is > tantamount > to a recommendation. > > > should the user choose to. > > Since I'm (at least) smart enough not to install proprietary software, > I don't have a strong problem with it, but for someone like RMS who > want's to be able to recommend strictly Free Software > operating systems, > this can be seen as a severe drawback. > > I don't understand such violent answers from some people, they are as > unproportional as some of their claims are false. > > > choose to run IE on OpenBSD if he wanted to. > > So I ask you: How does that limit freedom? > > When you promote the usage of proprietary software, you're promoting a > network effect that ends-up with more people being less free: > > those who chose to entrust others with their good judgement because > they are not knowledgeable enough to make the decision just by > themselves and get to accept your recommendations. > > Then some pages which only work with IE are now accessible, and maybe > more people will use IE instead of Free Software browsers, and where > does this road lead to? No good, IMHO. > > Best, > > -- > All Hail Discordia! > Today is Pungenday, the 3rd day of Chaos in the YOLD 3174 > + No matter how much you do, you never do enough -- unknown > + Whatever you do will be insignificant, > | but it is very important that you do it -- Gandhi > + So let's do it...? > Wow... it is incredibly telling that you chose a game, a pretty obscure one at that as far as I can tell, to base your argument on. The world will fall because OpenBSD "recommends" that people install a game... a game that is free to copy and use for non- commercial use (I looked it up), and you had to go through almost the ENTIRE package collection all the way to the Zs before you could find such a pitiful example. This discussion all started because Mr. Stallman very publicly stated that OpenBSD was non-free and distributed non-free software in it's ports tree. I am pretty sure he had no knowledge of zangband and it's non-free license. He was talking about non-free software in the ports tree. Let us further examine this. The statement was: since this non- free software is in our ports tree, it means that we are recommending it to those who don't know any better than to use non-free software (and therefore should be protected from it). I have to take that as a great compliment to the OpenBSD ports devs because you are basicly saying that the ports tree is so easy to use that even someone that is clueless can use it! Sadly, your complement is an empty one. As wonderful as the ports tree is, a person would have to have at least some technical know-how to use it and that kind of know how doesn't grow inside a bubble. This theoretical person would surely have come across at least a little knowledge about open-source software principles while gaining the knowledge to use the ports tree. So what are we left with? We are left with you having a political/religious belief in your ideals of "free software" that you want to limit the choices of others as to if they want to use this software or not. Hmm... lets look through history for others who want to limit people in the name of protecting them: Hitler - The Jews would be better off in containment. USA - We must confine Japanese Amer
Re: FW: Real men don't attack straw men
> From: Rui Miguel Silva Seabra > Sent: Thursday, January 03, 2008 12:48 PM > To: Openbsd Misc (E-mail) > Subject: Re: FW: Real men don't attack straw men > > > On Thu, Jan 03, 2008 at 12:05:37PM -0500, Stuart VanZee wrote: > > Wow... it is incredibly telling that you chose a game, a pretty > > obscure one at that as far as I can tell, to base your argument on. > > > > The world will fall because OpenBSD "recommends" that people > > install a game... a game that is free to copy and use for non- > > commercial use (I looked it up), and you had to go through almost > > the ENTIRE package collection all the way to the Zs before you > > could find such a pitiful example. > > Because they are such pitiful cases, they could be easily removed and > remove Stallman's objections to list OpenBSD at the recommended Free > Software operating systems, right? More promotion of OpenBSD would be > good, right? > CASE... not cases, you have come up with one CASE. One example, IF I chose to believe in your modification of the original statement that sparked this thread (which I don't) and believe that Mr. Stallman was speaking of non-free software in packages your side of the argument gets smaller and smaller. See what happens when you have to prove your argument? It all boils down to you having an issue with ONE package. A game at that. Not production software, or a web browser, or an email package, a game. A single game that, from the tone of your argument must be destroying all that free software stands for. Guess what... I read the license text for that game and it sounds exactly like what your precious GPL would say if it was boiled down to it's most basic components. You can have the source code... You can modify the source code... You just can't use the source code for your commercial application. Sound familiar? That is almost exactly what I was told by a GPL Zealot that the GPL lic was all about when I was first introduced to Linux so many years ago. So your example of why OpenBSD isn't free is a farce. It wouldn't bother me if the OpenBSD devs decided to axe that package. If I wanted to use it I could install it from ports just fine, I usually do anyway, but the argument that they should do so to fit yours or Mr Stallman's ideals of what free software is about are wrong on so many levels. It comes down to trying to force others to live by your ideals. It's just like the christian croud thinking that it's ok to discriminate against the pagans because it would take such a small thing for them (us) to convert to christianity. Never mind that many of us pagans view christianity as a violent death cult, so why would we ever want to. You say that it would be such a small thing for the OpenBSD project to do to live up to your ideals when it comes to free software but quite frankly, I think that many of the OpenBSD crowd think that your ideals are wrong. Freedom is all about freedom of choice, If that means people choose non-free software on OpenBSD at least they are using OpenBSD which is in itself free software. OpenBSD with ALL the non-free software from ports (yes, really ports) would still be a much more free system than any Windows system using as much free apps as a person could find for it. > Stopping this childish-tantrum regarding the FSF would also > be very much > more productive. > childish-tantrum? You know, when you resort to attacking the character of the other persons argument rather than argue the facts of your case it means you have pretty much lost the debate and have nothing more to say. > > This discussion all started because Mr. Stallman very publicly > > stated that OpenBSD was non-free and distributed non-free software > > in it's ports tree. > > He didn't say OpenBSD was non-free, but that it distributed non-free > Software. > > Looking at > ftp://ftp.openbsd.org/pub/OpenBSD/4.2/packages/i386/zangband-2 > >... seems to me pretty a pretty clear case. > Ok... I get it... You are saying that zangband is such an important piece of software that it alone is the cause of the downfall of free software. Because OpenBSD distributes zangband nobody has any reason to install a free OS or switch from MS Office to free office production software. No... wait... I don't get it. zangband is a GAME. It could fall off the face of the earth and nobody would blink. The few people who play it would move on to the next game. I can't believe that this thread has gone on this long and this one GAME is what it is all about. Oh wait it really isn't, but when we boil the argument down, it does become the final stand for a free software zealot who didn't realize that he didn't have a real position in the first case s
Re: delete deleted data
Just a little point. Sometimes precautions are taken not so much for the sake of what can be done today but what someone might figure out how to do in the future. I am not an engineer, but the explanation that I have heard of how data is read from a wiped drive sounds plausable (if not possible) given that the equiptment is available. Who's to say that next week or next year someone won't come up with a way of reading data from a wiped drive by a method that we haven't even thought of? After all... man was never supposed to be able to: -fly -break the sound barrier -understand women oh wait... that last one I really do believe is impossible. s
Re: About Xen: maybe a reiterative question but ..
>>What you're saying, appears to be: >> >>1) 3 applications in one OS - less secure. >>2) 3 applications in 3 physical servers - more secure >>3) 3 applications in 3 virtual servers each running one OS - in >>between #1 and #2 for security > >Yes, indeed! > >>What the others are telling you is that you are wrong. While there is >>a continuum, is it closer to #1 or #2? I believe it is closer to #1. >>This is because, nobody has done an independent security audit of the >>VMWare ESX platform. When we say something is more secure, we can >>show it in 2 ways - a track history, like openbsd, or some 3rd party >>verification, fips, orange book, certification, whatever. ESX's >>recent history is extremely damaging. Again, go look up all the >>advisories. Taking over a guest allows taking over a host?!?!?! >>Where is your "separation" again?! > >The fact that #3 is more secure than #1 is the original hypothesis, at >least from an 'application domain' standpoint. Others diverted the >discussion to #2 which, while I assumed everyone would already accept this >as fact, still proved an excellent discussion. > The reason that people are going to #2 is that, if you are concerned about security, that is the optimal way of setting things up. One box, one task. That is true "separation". In this light, the question of if #3 is more secure than #1 is truely a moot point. BUT To argue that a VM running a service is more secure than a system running that same service is rather weak... if the service can be exploited, it can be exploited. Be it on a (#1) single server also running other stuff or a (#3) VM guest. Give me root access to a box (from an exploit or an account, don't matter) and I can crash the bitch. VM... no VM... No matter. If I can crash one guest, there is a whole lot of code to support that guest that may or may not behave well. If Theo et al say that the separation that you get from virtualization isn't all it's cracked up to be, then quite frankly the brain trust of these people is pretty massive and they don't tend towards just spewing crap for no reason and the fact that you are arguing about it doesn't make you look all that smart. Nothing is perfect, everything fails, everything eventually crumbles. Let me quote you directly: >L. V. Lammert: >Virtualization provides near absolute security - DOM0 is not visible to >the user at all, only passing network traffic and handling kernel calls. >The security comes about in that each DOMU is totally isolated from the >the others, while the core DOM0 is isolated from any attacks. near absolute security? wow... strong words... I think I'll switch today! I don't think anyone would say those words about even OpenBSD. Thats why we watch for patches like demented hawks. That's why we have IDS systems on our networks, and comb through our logs looking for suspicious stuff. You sir are selling virtual snake oil. Or at least marketing it pretty hard. Feel free to buy in to your own delusion, but don't ask me to. (funny, I say the same thing to certian religous types...) s
Re: About Xen: maybe a reiterative question but ..
L. V. Lammert: >At 12:08 PM 10/25/2007 -0400, Stuart VanZee wrote: > >>The reason that people are going to #2 is that, if you are concerned about >.security, that is the optimal way of setting things up. One box, one >>task. That is true "separation". In this light, the question of if #3 is >>more secure than #1 is truely a moot point. BUT To argue that a >>VM running a service is more secure than a system running that same service >>is rather weak... if the service can be exploited, it can be exploited. > >No, you need to read the last two discussion replies - they, at least, make >sense. > >Isolating ONE part of the discussion just posts extra traffic on the list. > >>Give me root access to a box (from an exploit or an account, don't matter) >>and I can crash the bitch. > >Very true, but is completely offtopic from the OP, but, then, that has been >forgotten long ago. I think everybody can agree that issues within a VM >configuration can significantly ADD security risks, *especially* if you're >running an OS that are not secure by default. > >The original discussion of VMs providing security for an application >domain, however (per the summary posted about an hour ago), has nothing to >do with this level of vulnerability. Providing separation of application >domains in an enterprise adds an excellent level of security for the >application users and admins. The fact that VM systems compound >vulnerabilities, though very significant, is not an issue related to the >OP. The fact that running those application domain on separate hardware to >provide better security is also a option, but, again, not related to the >OP. The fact that OBSD does not operate in that enterprise space, choosing, >instead, to focus on core services, is again, not related to the OP. > >All of these tangential discussions have added a lot of good information to >the list archives, thanks to all! > > Lee > Quite frankly, I tire of your dumb-ass attitude. This was VERY ON TOPIC. Security for the "applecation domain" is a function of the level of vulnerability in the VM. If the VM is vulnerable, the "application domain" does not have an ice cubes chance in hell of being secure. So security of the VM is VERY on topic. Because you stated: "Virtualization provides near absolute security" The fact that a guest is running in a virtual environment provides NO extra protection to the users or the applications of THAT INDIVIDUAL GUEST. If it can be broken, it can be broken. PERIOD. I don't give a rats ass if they are running in a VM, not in a VM, or on a system made out of steaming piles of dog shit. What can be broken, can be broken. Add to that, if you have a virtualization server with a number of guests on it and even ONE of those guests get rooted, that ONE guest gives the interloper a much better platform to launch attacks against the other guest systems than if each guest was instead implemented on it's own hardware and secured separately. This is also on topic because make no mistake, that is the proper metric for this argument. Compairing each service being run in it's own guest to all services running on one system is not a proper comparison because it assumes that that is the normal accepted practice when security is of concern (Security is the topic that you are arguing after all). All it takes is some missed bit of bad code in any one of hundreds of "virtual" hardware services that the VM must provide to the guest operating systems and the rest of the guests are vulnerable. Even if they are systems that aren't usually vulnerable to attack if they are used stand alone, they now have to worry about not only attacks from the outside network, they have to worry about attacks from the VM stack itself because, as we have seen throughout the years, if it exists, some bad guy somewere will try to use it. If it is not perfect (and nothing is) sooner or later, some bad guy somewere will succeed. I have heard many people who are considered experts in the field of security say over and over again... (to the faithful) say it with me... Simplicity is the path to security. Complexity is the path to (security) RUIN. Virtualization adds VERY much to the complexity of a system. Argue with that and you might as well try to argue that Flan is good food (no offence intended to those who actually like flan... ew...).
FW: About Xen: maybe a reiterative question but ..
I finally get it... LEE! YOU ARE A FUCKING GENIUS! Hey everyone... In Mr. Lammert's world, as long as NOBODY is trying to break the system, VMs give a HUGE security plus! Problem is, there are a lot of very bad motherfuckers out there who ARE trying to break the system. So, when someone starts talking about security, excuse the hell out of me for automatically thinking you mean security from those bad guys, apparently you are talking about security from the damn sheep who couldn't break the system if their lives depended on it so they don't even try. dude, if you take security in the context of people trying to break the system (and we always are, fuck the sheep) you have to take a MUCH larger view than what you are taking. Suddenly things like "To VM or not to VM" become a very serious question. Ntpd, OpenNTPD, or rsync? Intel? AMD? SPARC? The question of having one server or segregating into individual servers is a question that you poke and prod until it's bloody. The permutations are endless and to focus on one idea SO SMALL as "the sheep won't be able to crash the VM so it must be more secure" is like saying the onions in the soup aren't poison so the rest of the ingredients must be ok. There ISN'T multiple viewpoints on security. There is one. And it encompasses everything, every topic, every idea, even the very essence of the universe. It has to, because if you leave any little part out, you have failed. Oh... and really, you have to take into account the sheep too... you would be surprised at what they can do to a system without even trying. Just once have a UNIX system that a Jr admin setup go down because Thelma the new secretary was trying to figure out how to get AOL installed and working right.
BIS3780
I have a little issue here at work and I thought I would run it past the list to see if anyone has any suggestions. At work we have an ancient M$ box running an even more ancient hw/sw combo of an 8 bit ISA card and a piece of DOS software in order to speak to a client using the BIS3780 protocol. We have been completely unable to get them to update to anything newer. Does anyone know of a piece of software for OpenBSD that could emulate 3780? I would LOVE to be able to toss the old box in the dumpster and use a nice new OpenBSD box instead. Google, Yahoo, even that MSN search thing came up with SQUAT when I typed in BIS3780 so I am pretty sure that this is a futile effort but didn't think it would hurt to try here since I have tried everywhere else I can think of. Thanks s
File upload/download to https server
Hello everyone. I have an upcoming project where I need to be able to automate the upload and download of files to/from an HTTPS server (not owned by me). The server says it requires 128 bit encryption. I would like to be able to do this using python because it is the language that I know the best and it is available on the OpenBSD box that I would like to do this all from. (please note I am not a real great programmer, but I get by). I have done some research and found py-OpenSSL in ports, and on another project have used ClientForm for python although I haven't figured out how to get them to work together. Am I going in the right direction? Is what I need to do even possible? Thank you for any help. Stuart van Zee [EMAIL PROTECTED]
Re: Updates for old releases
Jay, Only the current version (4.2) and 1 previous version (4.1) are supported. That means no more patches for 4.0 as soon as 4.2 came out. For more information, please refer to the OpenBSD FAQ. s > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > Jay Hart > Sent: Friday, February 22, 2008 8:41 AM > To: Mark Prins > Cc: misc@openbsd.org > Subject: Re: Updates for old releases > > > One question I have is if 4.0 is stilled being patched? I > notice that there > are several patches out in 4.2 or 4.1, for example: > > 005: RELIABILITY FIX: January 11, 2008 All architectures > A missing NULL pointer check can lead to a kernel panic. > A source code patch exists which remedies this problem > > But either these don't apply to 4.0, or 4.0 is not having > patches created > anymore. > > That is the official policy for older releases with regards > to patches? > > Thanks, > > Jay > > > 2008/2/22, Antonio Lobato <[EMAIL PROTECTED]>: > >> Hi all! > >> > >> I read http://openbsd.org/security.html (and > stable.html), but could > >> not make > >> sure about my question. > >> > >> If today I download old versions (say > /pub/OpenBSD/4.0/i386/cd40.iso) of > >> openbsd, does it already includes the fixes listed in > > > > release != stable; you'll have to apply the patches (or get > the/a newer > > release)
OpenBSD + python + cron
Hello everyone, I have a python script that I have written that uses the GnuPGInterface module to encrypt and sign some files. It works great when I run it from a command prompt but when I set it to run via cron it errors out. Here is a copy of the traceback: Traceback (most recent call last): File "/usr/local/sbin/svfil.py", line 269, in main() File "/usr/local/sbin/svfil.py", line 234, in main encrypt( CONST_workspace + workfname, CONST_key) File "/usr/local/sbin/svfil.py", line 30, in encrypt p1.wait() File "/usr/local/lib/python2.5/site-packages/GnuPGInterface.py", line 639, in wait raise IOError, "GnuPG exited non-zero, with code %d" % (e << 8) IOError: GnuPG exited non-zero, with code 35584 I suspect that when it is run via cron it is not being able to access the keyring like it is when I run this via the command prompt, but I don't know why that would be. When I run it via the command prompt I su to root and when it is run via cron it is run by a job in root's crontab. Stuart van Zee [EMAIL PROTECTED]
Re: [OT] Pursuing Management to adopt OpenBSD
> From: Chris > Subject: [OT] Pursuing Management to adopt OpenBSD > > > I been trying (rather unsuccessfully) to convince various clients and > employers to adopt OpenBSD. Most people, I find, are resistent to > change and would not use anything they are not familiar with. Others > would say that if I leave the job, it would be hard to find people who > can use (or even heard of) OpenBSD and in some places Management never > heard of OpenBSD and have very little clue as to how good or bad it is > compared to Linux/ Solaris and Windows thus they will just knock off > the proposal in 2 seconds. > > Is there any way I could convince these people to make the move to > OpenBSD? Suggestions, tips and tricks along with real life examples > would be much appreciated. Thanks. > > I have been in this same boat. The company I work for was a completely Windows environment when I was hired. Any suggestions of anything non- Windows was answered with angry looks and the mantra "We are a Windows shop! We are not interested in anything else!" Then it happened. One of the big Win2003 FTP servers went down... hard... very hard... smoke rolling out of it hard... and everyone was running around crying "Oh noes! Oh noes! What'll we do?" because nobody bothered to come up with a disaster recovery plan beyond "load up another box and put it out there" and as many of us unlucky bastards know, It takes all day to get a Win2003 server ready for deployment, especially if that deployment is one that connects it to the Wild Wooly Internet. Now, normally their plan would have been fine because this particular business (at the time) could live without their FTP server for that amount of time but fate stepped in and they really needed their FTP server to be up and running for a particular reason that evening. So, I calmly walked in and made the boast that I could get them an FTP server up and running in a matter of an hour or two. They were just desperate enough to call me on it. We used that first OpenBSD 3.6 based FTP server for a couple years upgrading as we went. We are now running OpenBSD 4.2 (soon to be upgraded to 4.3 YAY!) oddly enough on the same (repaired) box that used to house the Win2003 FTP server. The bosses have never looked back, and never regretted giving a lowly "data processor" a chance to pull their biscuits out of the fire by building an OpenBSD FTP server. I have FINALLY even talked them into supporting the project by pre-ordering 4.3 (and a nice t-shirt for me). Oh, and that first OpenBSD FTP server has been joined by 8 or 9 other OpenBSD boxes doing various this-and-thats around the place. Firewalls, mail servers, Time server, NIDS, Web Application server, and just about anything else that I can throw together using spare parts while the Windows tards are still trying to calculate the Hardware, OS, and Licensing costs to implement. I still haven't been able to break the SQL server or Domain Controller barrier yet, but give me time. The boss is finally admitting that maybe we could do a few projects with something other than Visual Basic... Change comes slowly sometimes. s
Re: Debian libssl security (Cause???)
> From: Ross Cameron > Sent: Friday, May 16, 2008 8:31 AM > To: Otto Moerbeek > Cc: misc@openbsd.org > Subject: Re: Debian libssl security (Cause???) > > > Mmm this isn't the first time I've heard of bogus reports > from Valgrind. > How does one politely inform the Debian project to not trust > it explicitly > and to human audit anything it flags? > > On Fri, May 16, 2008 at 1:41 PM, Otto Moerbeek <[EMAIL PROTECTED]> wrote: > > > On Fri, May 16, 2008 at 01:31:54PM +0200, Ross Cameron wrote: > > > > > Anyone got any thoughts on what the Debian project has > been doing to > > OpenSSL > > > to have caused this in the first place? > > > > yes, read the stuff posted earlier, it contains all > relevant links. To > > summarize, to silence a bogus valgrind warning, almost all > seeding of > > the PRNG used by openssl was removed. > > > >-Otto > > > That only works if the people who are explicitly human auditing the software is smart enough to know that you can't implicitly trust something like Valgrind anyway. So telling them isn't really all that useful (if they were that smart, they would already know). I'm not saying that the Debian devs aren't smart, I'm just saying that they aren't smart enough that I would trust them to build a secure system. This is why I use OpenBSD instead of Debian Distorted Dingo oh wait... or is that some other linux that uses the stupid names? oh well... s
Re: hello whiners and crybabies
> From: RedShift > Sent: Friday, April 03, 2009 1:04 PM > To: misc@openbsd.org > Subject: Re: hello whiners and crybabies > > > kytoon wrote: > > hello whiners and crybabies, > > > > you people make me sick. theo has a right to run obsd > anyway he wants. > > why? he runs the project! don't like that? start coding. > because that's > > the only thing that matters. you know, like you got > anything going on in > > there? oh, that's right. you don't, and you can't code. you > can only > > whine and cry, and take up theo's and the developer's > valuable time. > > screw you punks. that's right! you are punks. you don't > even understand > > what he and the developers do. you think they do this for > you? screw > > you. they do it because they like clean and efficient code. > you know, > > code that works. they do it for themselves! you cry because > they don't > > cave in and sign some nda to implement a poorly coded > wireless device. > > these guys rule the world of operating systems! hey! and > they _GIVE_ you > > a chance to tag along. THEY GIVE YOU THE CODE! they > produce! every six > > months, obsd gets better and better. you bunch of whining > crying punks! > > you should be giving theo all the money he needs to make obsd even > > better! so, shut up and show the developers what you got, > if you got > > anything at all, other than the dribble of a paralyzed brain. > > > > with love to theo and the developers > > > > > > Just because they (the openbsd team) give it away for free, > people aren't allowed to voice their opinions on it? OpenBSD > has its shortcomings, you cannot deny that, and people will > always complain about those. Saying "write it yourself" is > avoiding responsibility. But they have the right to avoid > their responsibility because they gave it away for free. > > > Glenn > > I am sorry you feel that way. Do you often have these feelings of entitlement? Trust me, the world owes you NOTHING. Is the soup kitchen avoiding it's responsibility when the homeless man comes in and demands more meat in his soup? No, it is soup. The sign says "Soup Kitchen". They are giving it away for free. I have to agree with the OpenBSD Devs when they say to someone "write it yourself" when someone complains about something, just like I agree with the people who run the soup kitchen when they say "if you don't like our soup, go out and get the stuff and make your own". I am a begger. I cannot code an OS. If I want something in OpenBSD that isn't already there, I can but humbly ask. I respect the OpenBSD Devs enough to try not to bother them with dumb requests. I DO NOT HAVE THE RIGHT TO _DEMAND_ ANYTHING. and neither do you. s
vi line wrap.
Please feel free to laugh at me. I've read the man page and did a google search and haven't figured this out. How does one turn off the line wrap in OpenBSD's version of vi? My linux friends say ":set nowrap" but nowrap doesn't seem to exist in the version of vi that ships with OpenBSD Thanks, and sorry for the stupid question. Stuart van Zee stua...@datalinesys.com
Re: vi line wrap.
HAH!!! that did it. Thank you so much for your help. And thanks to everyone else who posted answers and\or comments. s > -Original Message- > From: owner-m...@openbsd.org > [mailto:owner-m...@openbsd.org]on Behalf Of > Otto Moerbeek > Sent: Thursday, April 16, 2009 1:16 PM > To: Openbsd Misc (E-mail) > Subject: Re: vi line wrap. > > > On Thu, Apr 16, 2009 at 10:16:05AM -0500, Emilio Perea wrote: > > > On Thu, Apr 16, 2009 at 04:31:51PM +0200, Jan Stary wrote: > > > On Apr 16 09:59:29, Stuart VanZee wrote: > > > > I've read the man page > > > > > > No you haven't: > > > > > > wraplen, wl [0] > > >vi only. Break lines automatically, the specified > number of > > >columns from the left-hand margin. If both the wraplen and > > >wrapmargin edit options are set, the wrapmargin > value is used. > > > > > > wrapmargin, wm [0] > > >vi only. Break lines automatically, the specified > number of > > >columns from the right-hand margin. If both the > wraplen and > > >wrapmargin edit options are set, the wrapmargin > value is used. > > > > I don't think that's what he was looking for. He was looking for a > > toggle for the lines wrapping in the vi display, nothing in the file > > contents. As I understand it he wanted to see only a part > of any lines > > longer than the display rather than have them wrap so as to > appear to be > > on the lines below. > > In that case, the leftright option might be the answer. > > -Otto
Re: Multiple layers of NAT
> From: Lars Nooden > Sent: Tuesday, April 21, 2009 3:33 AM > To: OpenBSD Misc. > Subject: Multiple layers of NAT > > > Sometimes I have to set up a LAN inside a pre-existing NAT'd LAN and > traffic from the inner LAN (B) does not make it to the > Internet or even > to final, external interface (4). > >+---+ ++ > LAN B ---+ 1 + + Box2 + >+ NAT + + 4+---> Internet >+ 2+--LAN A--+3 NAT + >+ Box1 + ++ >+---+ ++ > > What kind of generic change is needed in PF to get from LAN B > through to > the outside? > > Setting the IP range for LAN B to match those of LAN A is one option, > but has to be done each time and also may run the risk of collision on > some subnets. > > Regards > -Lars > > I do this all the time and it works fine for me. You do have to remember that the firewall rules on box2 won't see anything as coming from LAN B because all of that is being NATed to the IP of interface 2. So, if you want a "LAN B"er to have www access you have to tell box 2 to give interface 2 www access (as well as telling box 1 to allow the www traffic). Think of it from the perspective of each firewall with regards to what each box will THINK it is getting (because of the NAT) not where the traffic is actually coming from. I hope this helps. s
ftpd concatenating files?
I had an odd occurrence and wanted to know if anyone has seen the same. I have an OpenBSD 4.3 system running ftpd for the company that I work for. This system has a daemon that I wrote that watches the client's folders for a file upload and then when it is sure that the file is complete, it pulls the file out of the folder and sends it on to the next step. Today I received a complaint that one of the clients were missing one of the files that they uploaded. I took a look in the logs and the file moving daemon only saw one file. Then I looked in the xferlog and this is what I found: Nov 5 12:02:03 ftp43 ftpd[30739]: FTP LOGIN FROM 10.10.10.10 as customer1 Nov 5 12:02:09 ftp43 ftpd[30739]: put /customer1file = 3400 bytes Nov 5 12:02:25 ftp43 ftpd[30739]: put /customer1file = 5687 bytes (note, the log entries have been sanitized). Ah-HAH! says I. They uploaded the first file and then overwrote it before the file moving daemon could get ahold of it (which usually takes anywhere from 2 to 4 min). BUT!... the client is claiming that the file that arrived at the next step had the data from BOTH of the uploaded files as if the two files had been concatenated together. The file moving daemon is definitely NOT setup to do this, all it does is a file move. Has anyone seen ftpd concatenate two files that were uploaded with the same name? Thank you for your time. Please let me know if there is any more information that you need. Stuart van Zee [EMAIL PROTECTED]
ssl v2 question
I am sorry if this seems like a dumb question. Recently my boss has been informed that supporting SSL Version 2 would make us non-compliant with PCI (Payment Card Industry) certification. My guess would be that (being on top of such things) OpenBSD's httpd probably doesn't use sslv2 since, from what I have read, there are known issues with it. But that is a GUESS, not a KNOW, and as usual, the boss wants some kind of proof. I didn't see anything on this subject in the FAQ. I looked in the man pages for ssl, openssl, httpd, and anything else I could think of and they look like sslv2 IS supported but I couldn't figure out if it was used or not. I googled, but was overwhelmed with info about sslv2 stuff from way back in 3.9 and couldn't find anything newer (yes, my google foo needs work I'm sure). So the question is. How do I prove that our https server doesn't provide support for sslv2? Stuart van Zee stua...@datalinesys.com
Re: ssl v2 question
> From: Philip Guenther [mailto:guent...@gmail.com]
> To: Stuart VanZee
> Cc: Openbsd Misc (E-mail)
> Subject: Re: ssl v2 question
>
>
> On Wed, Feb 4, 2009 at 6:21 AM, Stuart VanZee
> wrote:
> ...
> > So the question is. How do I prove that our https server doesn't
> > provide support for sslv2?
>
> First, you disable it per Otto's email. Then, you run a
> script like this:
>
> #!/bin/sh
> openssl ciphers -v |
> while read cipher version other; do
> printf 'HEAD / HTTP/1.0\n\n' |
> openssl s_client -connect 127.0.0.1:443 -cipher $cipher \
> -ssl${version##*v} -quiet 2>&1 |
> grep HTTP >/dev/null && echo $version $cipher
> done
>
>
> That'll report the SSL protocol version and cipher suite combos that
> it supports for the root page. (In openssl, the cipher suites for TLS
> are the same as for SSLv3, so that script only reports SSLv3 for
> both.)
>
>
> Philip Guenther
>
Thank you everyone for the replies. With the information provided
by Marc Espie, Otto Moerbeek, Dennis Davis, Philip Guenther and a
few others I was able to get my https server configured correctly
and as a bonus, I was able to find enough info that I was able to
understand what I was doing rather that just blindly following a
how-to or someone's directions. I ended up with:
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
As the settings in httpd.conf and was able to verify the results
using the script that was provided by Philip.
Again, thank you all for the wonderful help.
s
Ramifications of blocking SYN+FIN TCP packets
I understand that this might annoy a few of you, If it does please accept my apologies. The place I work is required to have an external security scan from time to time and the latest scan says that we have failed because the firewall responded to a TCP packet that has the SYN and FIN flags set. I know that OpenBSD isn't vulnerable to the exploits that use this: http://www.kb.cert.org/vuls/id/IAFY-5F8RWP However, I don't see any reason to respond to a packet with SYN and FIN set, AND, a firewall rule that drops said TCP packets would fix the fact that we are now "non compliant" as far as the security scan goes. I think a pf rule such as: block drop in quick proto tcp all flags SF/SF would do it. Does anyone see a way that this would come back to bite me on the ass later? Stuart van Zee stua...@datalinesys.com Sage advise requested... fire retardant underwear in place...
Re: Ramifications of blocking SYN+FIN TCP packets
Thank you all for the interesting discussion on this issue. I can't prove it but I think I have gained at least one IQ point just from the privilege of reading said responses. In my case, I think the answer boils down to the fact that it doesn't seem possible to implement a rule that blocks these packets while still using packet normalization (scrub) since scrub is the first thing that sees a packet and drops the FIN on a packet that has SYN+FIN set (at least that is how I understand it). At this point, I don't think I want to stop using scrub just to get a "fail" that doesn't apply to OpenBSD off of my report. Not when I can just as easily put in an appeal along with proof that this particular "vulnerability" doesn't apply to OpenBSD (see initial message for link if you are interested). Again, thanks to those who responded. I have learned a lot from your efforts. Also, a very special thank you to all the developers of OpenBSD/OpenSSH for all the hard work that you do. I have said it before, and say it again; "OpenBSD makes me look smart" (which is not always an easy task). Stuart van Zee stua...@datalinesys.com
IBM x335 1u server advice
Does anyone here have some experiance with an IBM x335 1u server. I am looking at a couple of these for use in some basic general server stuff using OpenBSD but they don't have PS/2 Keyboard ports. Just some sort of KVM connector called ct2 that I have never heard of. Would I be able to ingore this and just install using a USB keyboard? Or should I just steer away from these and go with something more.. "normal". thanks s
Re: This is what Linus Torvalds calls openBSD crowd
> From: Marti Martinez > > >From http://article.gmane.org/gmane.linux.kernel/706950 > > I think the OpenBSD crowd is a bunch of masturbating monkeys > > Well, shit, he's got ME nailed... > > -- > Systems Programmer, Principal > Electrical & Computer Engineering > The University of Arizona > [EMAIL PROTECTED] > I think I'll have a Masturbating Monkey t-shirt made. The Idea is to have "OpenBSD Forever" on the front and "Masturbating Monkey" on the back. Does anyone here have a problem with that? (I wouldn't want to offend). Oh, and feel free to make your own t-shirt (I'm not intending on selling them), but be warned, wearing a t-shirt like this in the wrong place could cause an altercation. I am 6'3" and 260lbs so people don't mess with me, If you are a smaller or more peaceful person please be wary. I think the best revenge in a situation like this is to take an insult and keep it as a souvenir. Thanks Linus. s PS I think the penguines are just jealous, ever try to masterbate with a flipper?
sftp logging
I can't seem to get logging for sftp working. OpenBSD 4.3 Here is the line from my sshd_config Subsystem sftp/usr/libexec/sftp-server -f LOCAL7 -l DEBUG Here is the line from syslog.conf local7.*/var/log/local7.log I went as far as rebooting the server to make sure the config files were read. Nothing is being written to /var/log/local7.log. I tried creating a local7.log in case syslog wasn't able to create it (read that somewhere in my searching for an answer, sounds hokey to me, but did it anyway) but that didn't help. Google gave me a haystack to search through but found confirmation of my config on a OS X support site but who knows if that is valid for OpenBSD. If anyone has a cluestick, please hit me with it. Stuart van Zee [EMAIL PROTECTED]
syslogd -a question
Hello OpenBSD Misc, I have been doing some work with chrooting user accounts for a project, and now I am looking to get syslogd working. I found out that I need a log socket in the chroot environ for this to work and the -a option does this fine and works great! BUT... now that I have one working, I need to be able to chroot a whole bunch of these and looking in the syslogd man page I see: -a path Specify a location where syslogd should place an additional log socket. Up to about 20 additional logging sockets can be speci- fied. The primary use for this is to place additional log sock- ets in /dev/log of various chroot filespaces. The part that worries me is the "Up to about 20" part. Is this a hard limit? Is there a way to extend this? I am looking at setting up around 100 user accounts like this but most of them will only be used a few times a month so I'm not really worried about resources too awful much. Currently I am using OpenBSD 4.3 s
Re: NSA Resources For Rapid Targeting and Routing Analysis
> From: Ted Unangst > Sent: Friday, September 19, 2008 1:12 PM > Cc: Misc OpenBSD > Subject: Re: NSA Resources For Rapid Targeting and Routing Analysis > > > On Fri, Sep 19, 2008 at 12:38 PM, Doug Milam > <[EMAIL PROTECTED]> wrote: > > Subject: NSA Resources For Rapid Targeting and Routing Analysis > > Date: Sat, 2 Jun 2007 08:53:31 +0200 (CEST) > > > > In order to send ICMP or TCP packets (or spoofed UDP > packets), "pinging" for rapid > > acquisition and analysis of a target IP's packet traffic > routing data at the Internet > > IXP-level, NSA has primarily used, starting earlier than > early 2006, the following > > IP ranges, with identification information where available, > for initial rapid target > > "pings." Other resources for subsequent tracking of a > target's IP packet traffic have > > been previously reported via Cryptome.org. > > Can somebody please translate that into normal? > > > Is it time to invest in a tin foil hat? s
PCI Compliant Vulnerability Scanner
Once again it is time for the quarterly security review required for my company to maintain PCI compliance. Unfortunately, It seems that the Nessus scanner that we had been using is no longer free. Can anyone recommend a PCI compliant vulnerability scanner that I can use on OpenBSD. It will need to be able to scan both OpenBSD and Windows boxen. Really, Nessus has worked so well for us in the past that I wouldn't be opposed to just buying it except for the fact that it went from free to $1200. That really blows a huge hole in the budget of the small co I work for. For those USians who have to maintain PCI compliance, what are you guys using? Stuart van Zee [EMAIL PROTECTED]
Re: Modern operating systems are flawed by design, including OpenBSD.
Wow, that sure makes a good sound byte... but http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx I rest my case... No one thing is the end-all be-all of security. Signed binaries... my ass... s > From: mak maxie > Sent: Thursday, October 23, 2008 6:54 AM > To: misc@openbsd.org > Subject: Modern operating systems are flawed by design, > including OpenBSD. > > > http://www.computerworld.com.au/index.php?id=264209080&rid=-219 > > Microsoft Windows is the only operating that supports signed binaries. > _ > [EMAIL PROTECTED] > http://msn.com.hk
Daily email from address
Ok, this is probably obvious but for some reason I am not coming up with an answer to this. I have tried google and what man pages that I could think up to look at so if there is a man page with this info or a google search that provides an answer please point me in the right direction (because apparently I missed it). Here is my problem. Our main email server is hosted by another company. This company also has a co-lo facility where we put our web servers etc. Recently, they have switched to a new email system and now I am not receiving the daily emails (or insecure etc.) from our co-loed boxes. Some digging found that this new mail system checks to see if the from address on an email is a valid email address, and it isn't. For instance, the daily email from our "foo" server would come from: r...@foo.datalinesys.com The email server doesn't have an account for that email address so the email is rejected. How would I go about telling each of our co-loed boxes to use a particular email address as the from address for stuff like daily email etc. so that it will look to the email server like it is coming from a valid email address and thus accept the email? Or is there a better solution that I haven't come up with? Thank you for your time. Stuart van Zee stua...@datalinesys.com
mail issue
I am using OpenBSD 4.5 When I try to use mail to send email from a user account I get an error: can not chdir(/var/spool/mqueue/): Permission denied Program mode requires special privileges, e.g., root or TrustedUser. Searching for this, I have found in various places many different explanations of why this is and quite a few different possible fixes, but none of them seemed to work. Sending mail from my OpenBSD 4.4 box works fine. I am sure I have just missed something. Could someone point me in the right direction? Please let me know if there is any more info that you need. Stuart van Zee stua...@datalinesys.com
Re: mail issue
> From: John Cosimano > Sent: Thursday, August 27, 2009 1:41 PM > To: Openbsd Misc (E-mail) > Subject: Re: mail issue > > > --- Stuart VanZee [Thu, Aug 27, 2009 at 11:55:39AM -0400]: --- > > I am using OpenBSD 4.5 > > > > When I try to use mail to send email from a user account I > > get an error: > > > > can not chdir(/var/spool/mqueue/): Permission denied > > Program mode requires special privileges, e.g., root or TrustedUser. > > what are the filesystem permissions on /var/spool/mqueue and > /usr/libexec/sendmail/sendmail ? > > what MUA are you using to send? > > /var/spool/mqueue: drwx-- 2 root wheel512 Aug 27 13:38 mqueue /usr/libexec/sendmail/sendmail: -r-xr-sr-x 1 root smmsp 634364 May 19 15:21 sendmail I am using the mail command like I usually do like: $ mail stua...@datalinesys.com thanks. s
Payment Card Industry (PCI) Data Security Standard HELP!
The company I work for is having their yearly Payment Card Industry (PCI) assessment and while I believe that OpenBSD is the most secure OS going, I am having some problems proving it. Here are some of the issues I need to figure out. 8.5.9For a sample of system components, obtain and inspect system configuration settings to verify that user password parameters are set to require users to change passwords at least every 90 days. I have no idea how to set OpenBSD to do this, any suggestions? 8.5.10 For a sample of system components, obtain and inspect system configuration settings to verify that user password parameters are set to require passwords to be at least seven characters long. I know that OpenBSD uses 6 characters, is there a way to change this? 8.5.12 For a sample of system components, obtain and inspect system configuration settings to verify that user password parameters are set to require that new passwords cannot be the same as the four previously used passwords. I have no idea how to set OpenBSD to do this, any suggestions? 8.5.13 For a sample of system components, obtain and inspect system configuration settings to verify that user password parameters are set to require that a users account is locked out after not more than six invalid logon attempts. 8.5.14 For a sample of system components, obtain and inspect system configuration settings to verify that user password parameters are set to require that once a users account is locked out, it remains locked for a minimum of 30 minutes or until a system administrator resets the account. 13 and 14 go togeather, I know that this isn't the scheme that OpenBSD uses. In OpenBSD, each time a user fails a password attempt it takes a little bit longer to get a new login prompt. Maybe if there was a way that I could set it so that by the time six failures happen that it takes 30 minutes to get the next login prompt. Does anyone know how to do this or have any other suggestion? 8.5.15 For a sample of system components, obtain and inspect system configuration settings to verify that system/session idle time out features have been set to 15 minutes or less. This one requires that a user must re-enter the password if their terminal is idle for more than 15 minutes. Any ideas how to do this with OpenBSD? I am sure that there are others out there that use OpenBSD in an environment that requires PCI compliance. How do you meet these requirements? BTW. While I usually don't mind constructive criticism, replies that attack the requirements rather than show how to meet them aren't at all helpfull and are a complete waste of time. We all understand that a one- size-fits-all kind of standard like the PCI standard pretty much sucks as far as actual benefit goes, but arguing with the Payment Card Industry about it isn't an option, they don't listen, it's either comply with their standard or don't get PCI approval. Stuart van Zee stua...@datalinesys.com
Re: Payment Card Industry (PCI) Data Security Standard HELP!
>Matthew Weigel > > I don't, I'm afraid, and a quick Google (which could have > answered some > of your other questions) suggests that it's come up before > both on misc@ > and elsewhere. I know you don't want to hear about how the > PCI DSS is > wrong, but in this case their wrongness is, I think, the > reason it's not > an available option. > > You could likely implement this yourself with a custom login > style, though. > Thank you all for the help. Yes, more than a few people have pointed out how poorly I did at Goggling this. I really have no excuses for that. I was searching from the wrong direction I guess. On the bright side, because this list houses some of the best brainpower anywhere I have all but two of the requirements finished (yes, the easy ones) and one of the two left I'm sure I can handle on my own. That being 8.5.12 which forces users not to reuse passwords. I'm pretty sure a passwordcheck in login.conf will do that once I code the program to track them. The last is 8.5.13 locking users out after 6 failed login attempts. Quite frankly I find this to be a pretty stupid requirement as it causes a built in denial of service. I see how creating a custom Authentication style would allow me to do this (in spite of my reservations), but I don't really do much in the way of c coding these days. I have been looking at the code in login.c and login_passwd.c and I understand about half of it (I think). If anyone could give me a shove in the right direction I would sincerely appreciate it. s
